Microsoft mulls Internet Explorer information disclosure leak

Microsoft refuted claims on Thursday that an information disclosure leak in its Internet Explorer browser poses a privacy risk, arguing that the company publicizing the issue is seeking to put its competitors in an unfavorable light.

Microsoft refuted claims on Thursday that an information disclosure leak in its Internet Explorer browser poses a privacy risk, arguing that the company publicizing the issue is seeking to put its competitors in an unfavorable light.

Spider.io, a U.K. based company in the advertising analytics field, alleged that two unnamed companies are improperly using a flaw that allows them to track whether display advertisements, sometimes buried far down in web pages, are actually viewed by users.

The information disclosure leak in IE versions 6 through 10 is said to allow a display advertisement rigged with JavaScript to find out the position of a mouse cursor, which combined with other data can reveal whether a display advertisement is within the "viewport," or the window of the browser in which a person sees content.

Spider.io charged in a video that using such a flaw is improper, and that it uses a different method to collect the same data on display ad visibility.

Microsoft disagrees with Spider.io. "The underlying issue has more to do with competition between analytics companies than consumer safety or privacy," wrote Dean Hachamovitch, corporate vice president for Internet Explorer.

Spider.io's CEO, Douglas de Jager, said via email that it is a notable data leak and that Microsoft's accusation is an attack on his company. He said in an interview that at least one other ad analytics company was aware of the flaw but deliberately decided not to use it to gather display ad statistics.

Spider.io also alleged the issue could be used by an attacker to figure out what keys a person is clicking on a virtual keyboard, which are sometimes displayed in software products to avoid using the physical keyboard, which could be monitored with malicious software. Microsoft rejected the allegation, saying there's no way for an attacker to know what kind of content is below a cursor.

It's not uncommon for the security community to be somewhat in flux about whether to call a problematic issue in software a security vulnerability or not, and debate often ensues on how to classify an issue.

Still, Microsoft said it is contacting companies that are using the information leak as part of their ad-tracking metrics. It appears Microsoft does regard it as a minor issue that could be remedied in some way.

"We are actively working to adjust this behavior in IE and will provide more information when it is available," Hachamovitch said in an email.